Total
298924 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-11190 | 1 Jidaikobo | 1 Jwp-a11y | 2025-06-12 | N/A | 4.8 MEDIUM |
| The jwp-a11y WordPress plugin through 4.1.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-11141 | 1 Jontasc | 1 Sailthru Triggermail | 2025-06-12 | N/A | 6.1 MEDIUM |
| The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape some of its settings and is missing CSRF protection which could allow subscribers to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2024-10818 | 1 Wvega | 1 Jsfiddle Shortcode | 2025-06-12 | N/A | 5.4 MEDIUM |
| The JSFiddle Shortcode WordPress plugin before 1.1.3 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | |||||
| CVE-2024-10677 | 1 Bluetrait | 1 Blue Trait Event Viewer | 2025-06-12 | N/A | 4.3 MEDIUM |
| The BTEV WordPress plugin through 2.0.2 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack | |||||
| CVE-2024-10639 | 1 Klarned | 1 Auto Prune Posts | 2025-06-12 | N/A | 4.8 MEDIUM |
| The Auto Prune Posts WordPress plugin before 3.0.0 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2022-31860 | 1 Openremote | 1 Openremote | 2025-06-12 | N/A | 9.8 CRITICAL |
| An issue was discovered in OpenRemote through 1.0.4 allows attackers to execute arbitrary code via a crafted Groovy rule. | |||||
| CVE-2022-26461 | 2 Google, Mediatek | 15 Android, Mt6833, Mt6853 and 12 more | 2025-06-12 | N/A | 6.7 MEDIUM |
| In vow, there is a possible undefined behavior due to an API misuse. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07032604; Issue ID: ALPS07032604. | |||||
| CVE-2024-10143 | 1 Deluxeblogtips | 1 Mb Custom Post Types \& Custom Taxonomies | 2025-06-12 | N/A | 4.8 MEDIUM |
| The MB Custom Post Types & Custom Taxonomies WordPress plugin before 2.7.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | |||||
| CVE-2023-7086 | 1 Ablyperu | 1 Svg Uploads Support | 2025-06-12 | N/A | 5.4 MEDIUM |
| The SVG Uploads Support WordPress plugin through 2.1.1 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2023-7088 | 1 Inventivo | 1 Inventivo | 2025-06-12 | N/A | 5.4 MEDIUM |
| The Add SVG Support for Media Uploader | inventivo WordPress plugin through 1.0.5 does not sanitize uploaded SVG files, which could allow users with a role as low as Author to upload a malicious SVG containing XSS payloads. | |||||
| CVE-2025-44110 | 1 Fluxbb | 1 Fluxbb | 2025-06-12 | N/A | 5.4 MEDIUM |
| FluxBB 1.5.11 is vulnerable to Cross Site Scripting (XSS) in via the Forum Description Field in admin_forums.php. | |||||
| CVE-2025-47884 | 1 Jenkins | 1 Openid Connect Provider | 2025-06-12 | N/A | 9.1 CRITICAL |
| In Jenkins OpenID Connect Provider Plugin 96.vee8ed882ec4d and earlier the generation of build ID Tokens uses potentially overridden values of environment variables, in conjunction with certain other plugins allowing attackers able to configure jobs to craft a build ID Token that impersonates a trusted job, potentially gaining unauthorized access to external services. | |||||
| CVE-2025-47885 | 1 Jenkins | 1 Health Advisor By Cloudbees | 2025-06-12 | N/A | 8.8 HIGH |
| Jenkins Health Advisor by CloudBees Plugin 374.v194b_d4f0c8c8 and earlier does not escape responses from the Jenkins Health Advisor server, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to control Jenkins Health Advisor server responses. | |||||
| CVE-2025-47886 | 1 Jenkins | 1 Cadence Vmanager | 2025-06-12 | N/A | 4.3 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers to connect to an attacker-specified URL using attacker-specified username and password. | |||||
| CVE-2025-47887 | 1 Jenkins | 1 Cadence Vmanager | 2025-06-12 | N/A | 4.3 MEDIUM |
| Missing permission checks in Jenkins Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified username and password. | |||||
| CVE-2025-47888 | 1 Jenkins | 1 Dingtalk | 2025-06-12 | N/A | 5.9 MEDIUM |
| Jenkins DingTalk Plugin 2.7.3 and earlier unconditionally disables SSL/TLS certificate and hostname validation for connections to the configured DingTalk webhooks. | |||||
| CVE-2025-47889 | 1 Jenkins | 1 Wso2 Oauth | 2025-06-12 | N/A | 9.8 CRITICAL |
| In Jenkins WSO2 Oauth Plugin 1.0 and earlier, authentication claims are accepted without validation by the "WSO2 Oauth" security realm, allowing unauthenticated attackers to log in to controllers using this security realm using any username and any password, including usernames that do not exist. | |||||
| CVE-2025-46052 | 1 Weberp | 1 Weberp | 2025-06-12 | N/A | 9.8 CRITICAL |
| An error-based SQL Injection (SQLi) vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL command and extract sensitive data by injecting a crafted payload into the DEL form field in a POST request to /StockCounts.php | |||||
| CVE-2025-46053 | 1 Weberp | 1 Weberp | 2025-06-12 | N/A | 5.1 MEDIUM |
| A SQL Injection vulnerability in WebERP v4.15.2 allows attackers to execute arbitrary SQL commands and extract sensitive data by injecting a crafted payload into the ReportID and ReplaceReportID parameters within a POST request to /reportwriter/admin/ReportCreator.php | |||||
| CVE-2025-48051 | 1 Lichess | 1 Powertip.ts | 2025-06-12 | N/A | 4.7 MEDIUM |
| powertip.ts in Lila (for Lichess) before ab0beaf allows XSS in some applications because of an innerHTML usage pattern in which text is extracted from a DOM node and interpreted as HTML. | |||||